Random Oracle Reduciblity

Paul Baecher and Marc FischlinDarmstadt University of Technology, Germany

Abstract.
We discuss a reduction notion relating the random oracles in two cryptographic
schemes A and B. Basically, the random oracle of scheme B reduces to the
one of scheme A if any hash function instantiation of the random
oracle (possibly still oracle based) which makes A secure also makes B
secure. In a sense, instantiating the random oracle in scheme B is thus not
more demanding than the one for scheme A. If, in addition, the standard
cryptographic assumptions for scheme B are implied by the ones for scheme
A, we can conclude that scheme B actually relies on weaker assumptions.
Technically, such a conclusion cannot be made given only individual proofs in
the random oracle model for each scheme.

The notion of random oracle reducibility immediately allows to transfer an
uninstantiability result from an uninstantiable scheme B to a scheme A to
which the random oracle reduces. We are nonetheless mainly interested in the
other direction as a mean to establish hierarchically ordered random-oracle
based schemes in terms of security assumptions. As a positive example, we
consider the twin Diffie-Hellman (DH) encryption scheme of Cash et al.~(Journal
of Cryptology, 2009), which has been shown to be secure under the DH assumption
in the random oracle scheme. It thus appears to improve over the related hashed
ElGamal encryption scheme which relies on the random oracle model and the
strong DH assumption where the adversary also gets access to a decisional DH
oracle. As explained above, we complement this believe by showing that the
random oracle in the twin DH scheme actually reduces to the one of the hashed
ElGamal encryption scheme. We finally discuss further random oracle reductions
between common signature schemes like GQ, PSS, and FDH.